こんにちは TAG-さん!

I'm requesting an early TAG design review of Device Bound Session Credentials.

Device Bound Session Credentials (DBSC) aims to reduce account hijacking caused by cookie theft. It does so by introducing a protocol and browser infrastructure to maintain and prove possession of a cryptographic key. The main challenge with cookies as an authentication mechanism is that they only lend themselves to bearer-token schemes. On desktop operating systems, application isolation is lacking and local malware can generally access anything that the browser itself can, and the browser must be able to access cookies. On the other hand, authentication with a private key allows for the use of system-level protection against key exfiltration.

• Explainer¹: https://github.com/w3c/webappsec-dbsc/blob/main/README.md
• User research: None
• Security and Privacy self-review²: https://github.com/w3c/webappsec-dbsc/blob/main/security-privacy-questionnaire.md
• GitHub repo: https://github.com/w3c/webappsec-dbsc/tree/main
• Primary contacts:
  • Daniel Rubery (@drubery), Google, Implementer
• Organization/project driving the design: Google
• Multi-stakeholder feedback³:
  • Chromium comments: Intent to Prototype submitted without objection.
  • Mozilla comments: https://github.com/mozilla/standards-positions/issues/912
  • WebKit comments: https://github.com/WebKit/standards-positions/issues/281

Further details:

• [y] I have reviewed the TAG's Web Platform Design Principles
• The group where the incubation/design work on this is being done (or is intended to be done in the future): WebAppSec
• The group where standardization of this work is intended to be done ("unknown" if not known): unknown
• Existing major pieces of multi-implementer review or discussion of this design:
• Major unresolved issues with or opposition to this design: None so far, some small questions about the degree of device binding per platform
• This work is being funded by: Google